Phantom of the Pipeline: Abusing Self-Hosted CI/CD Runners

Introduction Throughout numerous Red Teams in 2022, a common theme of Source Control Supply Chain attacks in GitHub repositories has emerged. After many hours manually hunting for and exploiting these attack paths, we’ve built an all-in-one toolkit called Gato (Github Attack Toolkit) for finding and attacking repositories where these misconfigurations are present. We released the […]

The post Phantom of the Pipeline: Abusing Self-Hosted CI/CD Runners appeared first on Praetorian.

abusing attack attack paths attacks called cd ci control corporate security exploiting gato github github repositories github runners hunting introduction misconfigurations open source pipeline praetorian red team red teaming red teams repositories runners supply supply chain supply chain attacks teams theme toolkit tools & techniques